Skip to main content

I’m trying to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38175

We use a 3rd party antivirus and not Microsoft Defender. Microsoft recommends deleting the file MpSigStub.exe. It’s located in C:\Windows\System32. 

 

I tried to create the following but i think it’s not working because system32 needs elevated privileges. Any ideas?

 

Evaluation Code:

 

Exit 1

 

Remediation code:

 

Remove-Item -path "C:\Windows\System32\MpSigStub.exe”

Hi @fina27 !

Automox runs as SYSTEM so your issue is unlikely related to elevated privileges.

Since you are attempting to remove a file from the protected Windows\System32directory, you’ll need to include -Force -Recurseto your Remove-Itemcmdlet.

Example:

Remove-Item -Path "C:\Windows\System32\MpSigStub.exe” -Force -Recurse

 

Your post inspired me though, and I decided to put together a formal Catalog Worklet that you can use to mitigate the vulnerability on devices that use a third-party AV instead of Defender.  You can check it out here: https://console.automox.com/manage/worklet-catalog/425

 

Evaluation code will check to see if Windows Defender is disabled and that the MpSigStub.exe file is present.  If both conditions are met, the device will be flagged for remediation.

 

The remediation code will then forcefully remove the MpSigStub.exe file from the device.


Output of the worklet run will be appended to your Activity Log:
 

 

This worklet is designed just for devices that aren’t using Defender as their primary AV.  If the devices use Defender, the MpSigStub.exe file will patch automatically during Defender’s definition updates so there’s no action needed for those devices.

 

I hope this helps!

 

Have a great evening!


Wow!..  thank you very much! Perfect reason of why we have Automox


Reply